There is a big change coming for those who plan and execute meetings and events in Europe. You and your partners need to get your house-o-data in order, and you need to do it pronto. Beginning on May 25, 2018, the GDPR (General Data Protection Regulation) goes into effect and will bring with it tough new EU-wide data protection rules that will have a direct effect on your association or company. And yes, even with Brexit, the UK thinks this is a good thing and they are hopping on the bandwagon.
The GDPR will require that you review and update how you collect, store, and process the personal information of your attendees, members, and service providers. You will need to demonstrate that you and your partners are in compliance with the GDPR. Yes. You read that right.. You and your partners. This means that you need to know that your registration company, your app company, your badge company… heck, any company that you share data with, is in compliance. Be warned, if you (or they) are found to be treating attendee or member data poorly, you better get an umbrella cause those nifty new enforcement powers are gonna come raining down on your little conference planning parade.
Before you jump off the data storage facility’s balcony, relax; Most of the larger, more reputable companies that you partner with will already be in compliance. As long as you are not using Registration-Is-Us or Bob’s Event App Emporium, you should be OK… Because you should be doing most of this already.
Here is a quick look at what some of the new rules include (note: this is just an overview; there are pages and pages of new rules, and I am not a lawyer type):
- Consent to Share – This means that there needs to be “clear affirmative action” before consent to share data is established. No more pre-ticked boxes stating that attendees accept the terms and conditions. Gone. Get over it. They have to check the box themselves, and the terms should be in plain sight, not hidden under small text and itty bitty little links.
- Transparency – You need to be ready to share with your attendees in detail how their data will be used, where it is being stored, how long do you intend to keep it, and what you are doing to make sure that it is safe. Seriously, this is not hard to do so don’t muck it up.
- Lawful Processing – new rules on processing data – Basically, you need a valid reason to be collecting the data, but I will let someone else explain this bad boy.
- Privacy First – Your daily operations must now be privacy first. Got it. That is not a joke. You must downsize the amount of data you hold on attendees, and you must default to the best privacy settings in all of your technology. So, two-factor authentication had better be your friend, and stop using “p@ssw0rd” as your password cause it is not clever (really, go test it here).
- Hack and breach notifications – You have 72 hours to notify regulators and the affected individuals in the event of a data privacy breach where there is a risk of harm to individuals.
- Access to Info – Individuals can access their personal data, have the right to know how that data is being used, and you have a shorter time to respond to their requests for information. There is also a new “right of erasure” and “right of data portability,” which means that if they write to you and say, “Erase my data,” you better damn well just erase their data (an exception to this is transaction records of course, if they bought a registration, you don’t have to erase the transaction details).
- Accountability – You must now be ready to prove that you are complying with the GDPR. This is not rocket science; document what you do and how you do it.
- Data Protection Officer – You must now have one. But it’s OK; you can pick Sally, your Director of IT; it just has to be one person to rule them all and who knows what you are doing inside and out. You can even outsource this gig if you must.
- Penalties – It is the EU People; the fines will be huge because they want you to actually do the right thing and be accountable.
- Non-Traditional Items – Yes, it is primarily computers, networks, and the web that we are talking about but there are other places where attendee data lives in electronic form. Name badges, lanyards, and ID Card printer ribbons are just a few things to consider.
Think of it like this… It is the start of the zombie apocalypse and just your luck, the week before, your community voted you the leader of the neighborhood watch. Now, it is up to you to build a wall around your house to protect your family from the walking dead hordes and to rally your neighbors to secure their own houses. You are the perfect person for the job; you are a meeting planner. No zombies are getting into your neighborhood on your watch. No siree. Plans are useful in a situation like this.
To learn more about how the GDPR will impact you, follow these links:
- Top 10 Operational Impacts of the GDPR (The International Association of Privacy Professionals)
- The GDPR Made Easy for Planners (eTouches and they have a nifty eBook)
- The Event Planner’s Guide to GDPR Compliance (from Events Force)
- How GDPR Will Impact Meetings and Events (MeetingsNet)
To learn more about protecting your home from zombies… go here.
